Date: Tue, 8 Mar 2005 15:04:12 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: "J.D. Bronson" <jbronson@wixb.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf question Message-ID: <20050308130412.GA77181@orion.daedalusnetworks.priv> In-Reply-To: <6.2.0.14.2.20050308064913.00b190b0@localhost> References: <6.2.0.14.2.20050308064913.00b190b0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-03-08 06:49, "J.D. Bronson" <jbronson@wixb.com> wrote: > First my ifconfig -A: > > # ifconfig -A > bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > address: xxxxxxxxxxxx > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet 192.168.82.1 netmask 0xffffff00 broadcast 192.168.82.255 > inet 192.168.82.2 netmask 0xffffffff broadcast 192.168.82.2 > > > I use a rule in the firewall such as this: > # macros > int_if = "bge0" > > pass in on $int_if from $int_if:network to any modulate state > pass out on $int_if from any to $int_if:network modulate state > > This expands to: > pass in on bge0 inet from 192.168.82.0/24 to any modulate state > pass in on bge0 inet from 192.168.82.2 to any modulate state > pass out on bge0 inet from any to 192.168.82.0/24 modulate state > pass out on bge0 inet from any to 192.168.82.2 modulate state > > Why does it pick the alias IP on the nic and not the actual IP? > Is this intended by design? Because the first IP address has a netmask with zero bits, and pf is smart enough to recognize this as part of a subnet/network (this is, after all the meaning of the :network modifier). The alias IP has a netmask of 0xffffffff, which may match only that alias address.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050308130412.GA77181>